rm -rf remains

GIT – Just for fun, I decided to launch a new Linuxserver and run rm -rf/ as root to see what remains. As I found out, rm lives in the future with idiots like me, so you have to specify --no-preserve-root to kick this exercise off.

# rm -rf --no-preserve-root /

After committing this act of tomfoolery, great utilities like

/bin/ls

/bin/cat

/bin/chmod

/usr/bin/file

will all be gone! You should still have your connection over SSH as well as your existing bash session. This means you have all the bash builtins, like echo.

Becoming Bash McGyver

root@rmrf:/# ls
-bash: /bin/ls:No such file or directory

There is no ls, but echo and fileglobs are still around. What can we do with those?

With these abilities and the fact that we can write arbitrary bytes withecho, we could rebuild and then curl or wget the binaries we want directly. My first choice, echoed by others, would be to get busybox. Busybox is the Swiss Army Knife of Embedded Linux, with builtin versions of wget, dd, tar, and many others. Eusebeîa goes into great detail about how to get a fully escaped version of busybox on your system, so I won’t do that here.

There is a problem though.

Even if we echo all the bytes we need into creating entire binaries, those files won’t be executable. No way to start busybox. The easiest workaround for this is to find something which is executable and overwrite it with echo. We’ve nuked all of /usr and /bin at this point though, so that’s a bit tricky.

We can use shell globs and bash logic to find files with the executable bit set, making sure to ignore directories.